From owner-freebsd-questions@FreeBSD.ORG Thu Feb 17 02:18:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AFA316A4CE for ; Thu, 17 Feb 2005 02:18:19 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id A401643D1D for ; Thu, 17 Feb 2005 02:18:18 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so204486wri for ; Wed, 16 Feb 2005 18:18:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=l642/BwUJFDAPugHtp6bXEYwZrq8OGGkzKfWnDhYMfwJRnFBdi+pVJp9Jmo0QleVII4j4GByzOR9mg7AkKgoMfm/eecJFR+jfCm+5zjrte5JXR2L49u8+8kDFrqzIpPjb8VKKK9JpWNTehl4UQeqKufaO6+FYMpn9Z1KEdo5sFo= Received: by 10.54.25.10 with SMTP id 10mr109245wry; Wed, 16 Feb 2005 18:18:17 -0800 (PST) Received: by 10.54.42.28 with HTTP; Wed, 16 Feb 2005 18:18:17 -0800 (PST) Message-ID: <810a540e05021618183355fc82@mail.gmail.com> Date: Wed, 16 Feb 2005 19:18:17 -0700 From: Pat Maddox To: Volker Kindermann In-Reply-To: <42133BFD.1090004@ps102.de> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> <42133BFD.1090004@ps102.de> cc: freebsd-questions@freebsd.org Subject: Re: Configuring PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2005 02:18:19 -0000 I've managed to come up with something that works so far. I am having two problems though. The first is that I can't authenticate for IMAP anymore. No clue why, it just keeps rejecting my password. maillog shows imapd: LOGIN FAILED, that's it. Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of block in log on $ext_if proto udp all So all UDP ports should be shown as closed. Doesn't really make any sense to me. Anyone care to help? Thanks for the help so far. Pat On Wed, 16 Feb 2005 13:26:37 +0100, Volker Kindermann wrote: > Hi Pat, > > > > Is there any place I can find a good default ruleset for a server, and > > just change what ports I want open? > > pf originates at openbsd. There you'll find lots of documentation, the > pf-faq, and the (as always in the BSD world) excellent manpages. > > In addition there's the pf-repository at: https://solarflux.org/pf/ > > And there are some books which include examples. > > > > Also, I've noticed that some rulesets will have different flags and > > keep state on for certain TCP ports, but not others. For example, at > > https://www.section6.net/help/pf.php I found: > > #WebServer, HTTPS, 8000 > > pass in on $extif proto tcp from any to any port 80 flags S/SA > > pass in on $extif proto tcp from any to any port $tcp_services flags > > S/SA synproxy state > > > > tcp_services is {22, 443} > > > > I don't understand why they use synproxy state for 22 and 443, but not 80 > > Because synproxy as a security feature has a drawback: speed. Do you > understand what synproxy does? It completes the three-way-handshake at > the firewall first and only if this succeds it forwards the connection > to the (web)server. This takes some small amount of time. > > Acceptable with protocolls like ssh and https but mostly unacceptable > with http. > > -volker > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >